Jan 13 2020

Federated Identity Management: SAML vs. OAuth

As identity and access management and single sign-on become more prevalent across government, IT pros should catch up on the differences between different security protocols.

In April 2018, the Office of Management and Budget issued a draft memo on updating federal identity credential and access management policy. More than a year later, on May 21, OMB issued the final policy. The updated policy focuses on how the government can enable more digital interactions with citizens while protecting their privacy and security.

The government has placed “an intensified focus on risk management and the adoption of processes, policies, and solutions that enhance privacy and security and that mitigate the degradation of operational service delivery,” the policy states.

As such, identity management “has become even more critical to the Federal Government’s successful delivery of mission and business promises to the American public.”

As the government continues to evolve federated identity management and enable single sign-on solutions on top of that, the use of two different protocols is likely to come into play even more than before. Those protocols, Security Assertion Markup Language (SAML) and Open Authorization (OAuth), are two of the building blocks of secure, federated identity.

MORE FROM FEDTECH: Find out how file integrity monitoring can help feds improve cybersecurity.

What Is Federated Identity?

Federated identity management lets users access the systems and applications of multiple organizations using one login credential, as the National Institute of Standards and Technology’s “Developing Trust Frameworks to Support Identity Federations” document notes.

Identity federation enables users to “maintain login credentials with multiple credential service providers (CSPs) (e.g., email or social media providers) and then choose among them when logging into different online services.”

Essentially, as NIST notes, users register once with their selected CSP and set up online credentials to be managed by that CSP for authentication. When a user wants to access a relying party service or application, including Software as a Service apps, that user is redirected to their preferred CSP for authentication using the credentials the user established with that CSP.

The CSP then presents the status of the authentication to the relying party so that the user can access the app.

“In this way, users do not need to register or establish login credentials with each service they want to access, and instead they only need to provide their credentials to their selected CSP,” NIST says.

In a blog post, Andreas Zindel, a director of technical marketing for Centrify's Identity Service, notes that federated identity management refers to a way to connect identity management systems together.

“With FIM, a user's credentials are always stored with a ‘home’ organization (the ‘identity provider’),” Zindel writes. “When the user logs into a service (SaaS application), instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So the user never provides credentials directly to anyone but the identity provider.”

Users are federating their service providers (SaaS applications) with their FIM (identity provider), he adds.

Federated identity management and single sign-on are not synonymous, Zindel writes. “FIM gives you SSO, but SSO doesn’t necessarily give you FIM,” he notes.

What Is SAML?

As Tracy David, a cloud client executive with CDW, notes in a blog post, SSO is a high-level term used to “describe a scenario in which a user applies one set of credentials to access multiple domains.”

SSO uses the Security Assertion Markup Language (SAML) protocol, which is an Extensible Markup Language standard that allows a user to log in once for affiliated but separate websites, David notes.

“Or in plain English, instead of using passwords to access systems, it uses highly complex encrypted keys, which the end user has no access to view or change,” he writes. “SAML is designed for business-to-business (B2B) and business-to-consumer (B2C) transactions.”

According to the website Security Boulevard, SAML is a standard authentication (and occasionally authorization) protocol which is most often used by SSO providers to relay credentials between an identity provider, which contains the credentials to verify a user, and a service provider, which is the resource that requires authentication.

Under SAML, a user, via a web browser, requests to log in to a service or app. The service defers its authentication to a specific identity provider (registered with the service). Then, the browser relays the authentication request to a registered identity provider for the login and authentication. Upon successful a credential check/ or authentication, the identity provider will generate an XML-based assertion verifying the user’s identity and will relay this to browser. After that, the browser will relay the XML assertion to the service or app. The service provider will take in that assertion as a “ticket” for entry and allow the user to get access to the service by logging them in.

“Said another way, using SAML, developers can leverage SAML plugins to ensure their app or resource follows desirable single sign-on practices to simplify their user’s login experience and ensure security practices are laid in place to leverage a common identity strategy,” the website notes. “That way, only an identity with the proper credentials/assertion can access an application. Additionally, SAML can be used to control what said identity can access in an application.”

Login.gov, the federal single sign-on project based out of the General Services Administration’s Technology Transformation Service, offers the public secure and private online access to participating government programs. With one login.gov account, users can sign into multiple government agencies. Login.gov is a standard SAML identity provider, adhering to the Web Browser SSO Profile with enhancements for NIST SP 800-63-3.

However, Login.gov strongly recommends choosing OpenID Connect over SAML “due to its modern, API-centric design and support for native mobile applications.”

MORE FROM FEDTECH: Find out how to choose between software-defined perimeters and VPNs.

What Is OAuth?

OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. But what is OAuth?

Rob Sobers, a software engineer specializing in web security at security software firm Varonis, notes in a blog post that OAuth is “an open-standard authorization protocol or framework that provides applications the ability for ‘secure designated access.’”

OAuth does not share password data but “instead uses authorization tokens to prove an identity between” users and service providers, Sobers writes. “OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password,” he says.

OAuth works over HTTPS and authorizes devices, application programming interfaces, servers and applications with access tokens rather than credentials, according to an Okta blog post. OAuth 2.0 is the more widely used format OAuth at this point.

For example, a user can tell one application that it’s OK for another website to access that application without giving the website the password for the application. That helps minimize risk, Sobers writes, because if the website suffers a data breach, the user’s password will remain secure. 

MORE FROM FEDTECH: Find out how agencies can boost endpoint security via commercial solutions.

SAML vs. OAuth

There are several key differences between SAML and OAuth.

SAML uses XML to pass messages while OAuth uses JavaScript Object Notation, according to Sobers.

OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security,” he writes. “That last point is a key differentiator: OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user.”

However, SAML “drops a session cookie in a browser that allows a user to access certain web pages — great for short-lived workdays, but not so great when you have to log in to your thermostat every day.”

Meanwhile, according to Security Boulevard, “OAuth is more tailored towards access scoping than SAML. Access scoping is the practice of allowing only the bare minimum of access within the resource/app an identity requires once verified.”

Motortion/Getty Images

aaa 1